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DETAILED ACTION 

1. This office action is in reply to an amendment filed on October 10, 2007. Claims 1-5 have been 
amended. 

2. . Claims 6-20 have been added. 

3. Claims 1-20 are pending. 

Response to Amendment 

4. Applicant's arguments with respect to claims 1-5 have been considered but are moot in view of 
the new ground(s) of rejection. 

Applicant's arguments filed on October 10, 2007, with respect to 35 U.S.C. 101 rejections of claims 1-5 
have been fully considered in view of the amendment to the claims and are persuasive. The 35 U. S. C. 
101 rejections of claims 1-5 has been withdrawn. 

Claim Rejections - 35 USC § 103 

5. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 
rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made, 

6. Claims 1-20 are rejected under 35 U.S.C. 103(a) as being unpatentable over Hayashi et al 
(Hayashi), US 7,167,988, and further in view of HO, US 7,188,369 
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As Per claim 1 Hayashi discloses: 

A normalization module that obtains an executable script, and generates a normalized signature 
for the executable script: wherein generating a normalized signature for the executable script comprises 
translating tokens from the executable script into normalized tokens conforming to a common format; 
(column 8, line 1-9, the normalization code stream outputted from the normalization processing unit is 
input to signature processing unit for generating normalization signature). 

Wherein the malware detection system is configured to: compare the normalized signature of the 
executable script to the at least one normalized malware signature in the malware signature store to 
determine whether the executable script is malware; and report whether the executable script is malware 
according to the determination. (Abstract, line 10-16, compares the first hash value and the second hash 
value and judges the code stream is (is not) falsified). 

A computer-implemented malware detection system for determining whether an executable script 
is malware according to its functionality, the malware detection system comprising: A malware signature 
store including at least one known malware script signature, wherein each malware signature in the 
malware signature store is a normalized signature of a known malware script; (column 8, line 1-9, the 
signature processing unit 13 generates signature data for the inputted normalization code stream). 

Hayashi does not explicitly discloses, malware signature store. However, on the same field of 
endeavor, Ho teaches this limitation as, (abstract, line 1-6, an antivirus database comprising a plurality of 
computer virus signatures for detecting a malware). 

Therefore, it would have been obvious to one of ordinary skill in the art, at the time of the 
invention was made, to modify the teaching of Hayashi and include the above limitation using the 
teaching of Ho. The modification would be obvious because one of ordinary skill in the art would be 
motivated to add the above limitation for enhancing the security of the system by providing an antivirus 
system (column 1, line 50-55). 
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As per claim 2 Hayashi discloses: 

The malware detection system of Claim 1, further comprising a comparison module, wherein the 
comparison module compares the normalized signature of the executable script to the at least one 
normalized signature in the malware signature store for the malware detection system. (Abstract, line 10- 
16, compares the first hash value of normalized code stream and the second hash value and judges the 
code stream is (is not) falsified). 

As per claims 3, 4 and 5 Hayashi discloses: 

A normalization means that obtains an executable script, and generates a normalized signature 
for the executable script, wherein the normalized signature for the executable script comprises a set of 
normalized tokens translated from corresponding tokens in the executable script into a common format 
suitable for comparison with the at least one malware signature in the malware signature store means, 
(column 8, line 1-9, the normalization code stream outputted from the normalization processing unit is 
input to signature processing unit for generating normalization signature). 

A comparison means that compares the normalized signature for the executable script to the at 
least one malware signature in the malware signature storage means; wherein the malware detection 
system is configured to determine whether the executable script is malware according to the comparison 
performed by the comparison means, and report whether the executable script is malware. (Abstract, line 
10-16, compares the first hash value and the second hash value of normalized code stream and judges 
the code stream is (is not) falsified). 

A computer-implemented malware detection system for determining whether an executable script 
is malware the malware detection system comprising: a malware signature storage means including at 
least one known malware signature, wherein each malware signature in the malware signature store ' 
means is a normalized signature of a known malware script; (column 8, line 1-9, the signature processing 
unit 13 generates signature data for the inputted normalization code stream). 
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Hayashi does not explicitly discloses, malware signature store. However, on the same field of 
endeavor, Ho teaches this limitation as, (abstract, line 1-6, an antivirus database comprising a plurality of 
computer virus signatures for detecting a malware). 

Therefore, it would have been obvious to one of ordinary skill in the art, at the time of the 
invention was made, to modify the teaching of Hayashi and include the above limitation using the 
teaching of Ho. The modification would be obvious because one of ordinary skill in the art would be 
motivated to add.the above limitation for enhancing the security of the system by providing an antivirus 
system (column 1, line 50-55). 

As per claim 6 Hayashi discloses: 

The malware detection system of Claim 2, wherein translating tokens from the executable script 
into a common format suitable for comparison with the at least one malware signature in the malware 
signature store comprises renaming tokens from the executable script according to a common naming 
convention. (Column 11, line 8-15, the normalization processing unit applies the normalization process to 
the code stream). 

Hayashi does not explicitly discloses, malware signature in malware signature store. However, on 
the same field of endeavor, Ho teaches this limitation as, (abstract, line 1-6, an antivirus database 
comprising a plurality of computer virus signatures for detecting a malware). 

Therefore, it would have been obvious to one of ordinary skill in the art, at the time of the 
invention was made, to modify the teaching of Hayashi and include the above limitation using the 
teaching of Ho. The modification would be obvious because one of ordinary skill in the art would be 
motivated to add the above limitation for enhancing the security by providing an antivirus system (column 
1, line 50-55). 

As per claim 10 Hayashi discloses: 

The malware detection system of Claim 3, wherein determining whether the executable script is 
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malware according to the comparison performed by the comparison means comprises determining 
whether the comparison found a complete match between the normalized signature for the executable 
script and a normalized malware signature in the malware signature store means and if so, reporting that 
the executable script is malware. (Column 11, line 8-15, the normalization processing unit applies the 
normalization process to the code stream). 

Hayashi does not explicitly discloses, malware signature in malware signature store. However, on 
the same field of endeavor, Ho teaches this limitation as, (abstract, line 1-6, an antivirus database 
comprising a plurality of computer virus signatures for detecting a malware). 

Therefore, it would have been obvious to one of ordinary skill in the art, at the time of the 
invention was made, to modify the teaching of Hayashi and include the above limitation using the 
teaching of Ho. The modification would be obvious because one of ordinary skill in the art would be 
motivated to add the above limitation for enhancing the security by providing an antivirus system (column 
1, line 50-55). 

As per claims 13 and 17 Hayashi discloses: 

The method of Claim 4, wherein determining, based on the previous comparison, whether the 
executable script is malware comprises determining if the first normalized signature for the executable 
script is a complete match with a normalized signature of known malware, and if so, reporting that the 
executable script is malware. (Column 11, line 8-15, the normalization processing unit applies the 
normalization process to the code stream). 

Hayashi does not explicitly discloses, malware signature in malware signature store. However, on 
the same field of endeavor, Ho teaches this limitation as, (abstract, line 1-6, an antivirus database 
comprising a plurality of computer virus signatures for detecting a malware). 

Therefore, it would have been obvious to one of ordinary skill in the art, at the time of the 
invention was made, to modify the teaching of Hayashi and include the above limitation using the 
teaching of Ho. The modification would be obvious because one of ordinary skill in the art would be 
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motivated to add the above limitation for enhancing the security by providing an antivirus system (column 
1, line 50-55). 

As per claims 7, 11, 14, 16, and 18 Hayashi discloses: 

The malware detection system of Claim 6 further configured to: if the prior determination indicates 
that the executable script is a partial match to at least one malware signature in the malware signature 
store: generate a second normalized signature for the executable script, wherein generating a second 
normalized signature comprises translating tokens from the executable script into a second common 
format suitable for comparison with a second normalized malware signature of known malware in the 
malware signature store; (column 8 t line 1-9, the normalization code stream outputted from the 
normalization processing unit is input to signature processing unit for generating normalization signature). 

Determine whether the executable script is malware according to a comparison between the 
second normalized signature and at least one second normalized signature in the malware signature 
store. (Column 8, line 1-9, the signature processing unit 13 generates signature data for the inputted 
normalization code stream). 

Hayashi does not explicitly discloses, malware signature store. However, on the same field of 
endeavor, Ho teaches this limitation as, (abstract, line 1-6, an antivirus database comprising a plurality of 
computer virus signatures for detecting a malware). 

Therefore, it would have been obvious to one of ordinary skill in the art, at the time of the 
invention was made, to modify the teaching of Hayashi and include the above limitation using the 
teaching of Ho. The modification would be obvious because one of ordinary skill in the. art would be 
motivated to add the above limitation for enhancing the security of the system by providing an antivirus 
system (column 1, line 50-55). 



As per claims 8, 12, 15 and 19 Hayashi discloses: 
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The malware detection system of Claim 7, wherein translating tokens from the executable script 
into a second common format suitable for comparison with a second normalized malware signature of 
known malware in the malware signature store comprises translating tokens of the executable script into 
a common name according to each token's type. (Column 11, line 8-15, the normalization processing unit 
applies the normalization process to the code stream). 

Hayashi does not explicitly discloses, malware signature in malware signature store. However, on 
the same field of endeavor, Ho teaches this limitation as, (abstract, line 1-6, an antivirus database 
comprising a plurality of computer virus signatures for detecting a malware). 

Therefore, it would have been obvious to one of ordinary skill in the art, at the time of the 
invention was made, to modify the teaching of Hayashi and include the above limitation using the 
teaching of Ho. The modification would be obvious because one of ordinary skill in the art would be 
motivated to add the above limitation for enhancing the security by providing an antivirus system (column 
1, line 50-55). 

As per claim 9 Hayashi discloses: 

The malware detection system of Claim6, wherein generating a normalized signature for the 
executable script further comprises generating a set of normalized tokens for each routine in the 
executable script. (Column 7, line 27-35, several parameters are designated in normalization method. For 
example, in the case of an image coding system described later, the number of divisions of discrete 
wavelet conversion, a type of a progressive order, presence or absence of execution of arithmetic coding 
of a lower bit plane, a size of a code block, and the like are designated). 

As per claim 20 Hayashi discloses: 

The computer-readable medium of Claim 19, wherein the method further comprises comparing 
the second normalized signature for the executable script to second normalized signatures of known 
malware to determine whether the second normalized signature for the executable script is a partial 
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match to a second normalized signature of known malware, and if so, reporting that the executable script 
is potential malware. (Column 11, line 8-15, the normalization processing unit applies the normalization 
process to the code stream). 

Hayashi does not explicitly discloses, malware signature in malware signature store. However, on 
the same field of endeavor, Ho teaches this limitation as, (abstract, line 1-6, an antivirus database 
comprising a plurality of computer virus signatures for detecting a malware). 

Therefore, it would have been obvious to one of ordinary skill in the art, at the time of the 
invention was made, to modify the teaching of Hayashi and include the above limitation using the 
teaching of Ho. The modification would be obvious because one of ordinary skill in the art would be 
motivated to add the above limitation for enhancing the security by providing an antivirus system (column 
1 T line 50-55). 

Conclusion 

7. The prior art made or record and not relied upon is considered pertinent to applicant's disclosure. 

TITLE: Detection of polymorphic script language viruses by data driven lexical analysis, US Pub. No. 
2002/0073330. 

8. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office 
action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of 
the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE MONTHS from 
the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date 
of this final action and the advisory action is not mailed until after the end of the THREE-MONTH 
shortened statutory period, then the shortened statutory period will expire on the date the advisory action 
is mailed, and any extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
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the advisory action. In no event, however, will the statutory period for reply expire later than SIX 



MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should 
be directed to Teshome Hailu whose telephone number is (571) 270-3159. The examiner can normally 
be reached on Mon-Fri 7:30a.m. to 5:00p.m. PST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Ayaz 
R. Sheikh can be reached on (571) 272-3795. The fax phone number for the organization where this 
application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be obtained from 
either Private PAIR or Public PAIR. Status information for unpublished applications is available through ■ 
Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) 
at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative 
or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272- 
1000. 

Teshome Hailu 
December 21, 2007 
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